Cybersecurity law given thumbs up by European Union’s ministers

Former adoption paves way for legislation at national level within next two years.

European ministers formally adopted new cybersecurity legislation on Tuesday morning—paving the way for national laws in the next two years.

Under the Network and Information Security Directive, so-called “essential services” operators and “digital service providers”—including online marketplaces, search engines, and cloud services—will have to take measures to manage risks to their networks. They will be expected to notify national authorities about cyber incidents.

Each country in the 28-member-state bloc will also be required to designate at least one national authority to deal with cyber threats.

Further Reading

The question of which “digital service providers” would be included was a sticking point in drawing up the law. Under the final compromise, businesses that already fall under “sector-specific” regulation that deals with information and network security issues will be exempt. It will be up to each country to draw up a list of companies or to set out other “objectively quantifiable criteria” to determine which organisations will be subject to the law.

Although the directive has been in the pipeline for some time, ministers are now keen to move quickly. Europe’s network and information security agency has already began work on implementation. Meanwhile, two informal meetings of the network of computer security incident response teams—set up under the directive—have already taken place.

The European Parliament must also give its formal ruling in the coming months: it has already agreed to the rules in principle. Once a parliamentary decision has been made, the directive—as expected—can then enter into force in August 2016.

The clock will then start ticking on governments to implement the directive into national law within 24 months.